Marist College Information Security Policy February 2005 Information Security Policy INTRODUCTION ................................................................................................................ 3 PURPOSE OF INFORMATION SECURITY POLICY ................................................................. 3 INFORMATION SECURITY - DEFINITION ............................................................................ 4 APPLICABILITY ................................................................................................................ 4 ROLES AND RESPONSIBILITIES ......................................................................................... 5 Information Security Policy Steering Committee ....................................................... 5 College Information Security Officer.......................................................................... 5 IT Security Procedures and Practices Working Group .............................................. 6 Stewards ...................................................................................................................... 7 IT Internal Auditor ...................................................................................................... 8 Managers .................................................................................................................... 8 Users ........................................................................................................................... 8 INFORMATION CLASSIFICATION ....................................................................................... 9 POLICY VIOLATIONS ........................................................................................................ 9 RIGHTS RESERVED TO MARIST COLLEGE....................................................................... 10 REPORTING VIOLATIONS ................................................................................................ 11 POLICY SANCTIONS ........................................................................................................ 11 APPROVAL PROCESS ...................................................................................................... 13 REVIEW CYCLE .............................................................................................................. 13 APPENDICES ................................................................................................................... 14 A. INFORMATION SECURITY POLICY STEERING COMMITTEE MEMBERS ..................... 14 B. IT SECURITY PROCEDURES AND PRACTICES WORKING GROUP ............................. 14 C. MARIST COLLEGE STANDARD FOR INFORMATION CLASSIFICATION ...................... 15 2 of 16 Information Security Policy This document establishes the Information Security policy for Marist College. Introduction The Marist College Information Security Policy serves to support the College’s mission of “…helping students develop the intellect, character, and skills required for enlightened, ethical and productive lives in the global community of the 21st century.” Marist is committed to providing a computing environment that protects the community’s academic freedom. Nothing in this document should be construed or is intended to limit academic freedom or any legitimate use of Marist information resources (information resources are defined below). At the same time, Marist is also committed to ensuring the integrity and confidentiality of data, meeting legal and regulatory requirements and ensuring that the use of our computing resources meets the highest ethical standards. The Executive Vice President has overall responsibility for this policy. Purpose of Information Security Policy The purpose of the Marist College Information Security Policy is to: 1. Communicate to the Marist community their rights and responsibilities related to the use of information resources; 2. Establish rules to effectively protect information resources from misuse or abuse; 3. Establish information security roles and responsibilities within Marist College; 4. Ensure that Marist College complies with state and federal law and regulation regarding information security; 5. Provide assurance to our stakeholders that Marist is taking appropriate measures to meet best practices for the securing of information resources; 6. Establish mechanisms for responding to security related issues. This policy also recognizes the evolutionary nature of information security. Therefore, this policy is established with an eye toward change recognizing the dynamic nature of the current security environment. Information Resources - Definition For the purpose of this policy, information resources refers to: 1. All Marist College owned computer hardware, software, communications equipment, networking equipment, networking and telecommunications protocols, associated storage and peripherals; 3 of 16 Information Security Policy 2. All computer hardware, software, communications equipment, networking equipment, associated storage and peripherals that are connected to any Marist College information resource; 3. All computer hardware, software, communications equipment, networking equipment, associated storage and peripherals that store or transmit information that belongs to Marist College; 4. All data, information and intellectual property that may be transmitted over or stored on any Marist College information resource; 5. Any paper reports, microfilm, microfiche, books, films or any media containing information, data or intellectual property that is the property of Marist College. Information Security - Definition Information Security is the protection of information resources against unintended uses. This includes, but is not limited to, protection against: 1. 2. 3. 4. Inappropriate release of data (advertently or inadvertently); Access of the College’s data without the permission of Marist College; Illegal or unethical use of Marist College's data, computing or network resources; Disruption of computing and network resources at Marist College or by resources of Marist College; 5. Violations of the intellectual property rights of Marist College and members of the Marist community; 6. Violations of intellectual property rights by members of the Marist community; 7. Other activities that interfere with the education, research or service mission of the College. Applicability This policy applies to all Marist students, faculty and staff. This policy also applies to anyone who has access to, or uses any Marist College information resources. Contractors performing work for Marist College that involves any information resources must also meet the requirements of this policy. This policy is meant to be consistent with all other College policies. In the event that state or federal law, regulation or local policy imposes more specific or more stringent requirements than are required by this policy, the law, regulation or policy shall take precedence. 4 of 16 Information Security Policy Roles and Responsibilities All members of the College community share in the responsibility for protecting information resources for which they have access or custodianship. Below are listed specific information security roles and responsibilities within the Marist community. Information Security Policy Steering Committee The Information Security Policy Steering Committee is a College-wide committee chaired by the Executive Vice President and charged with: a) Establishing a secure and stable environment and providing leadership for the security of our information resources; b) Developing policies relative to the security of our information resources; c) Providing guidance to the IT Security Procedures and Practices Working Group; d) Providing periodic reports and updates to the President, Cabinet and Technology Committee of Board of Trustees. The membership list for this committee appears in Appendix A. College Information Security Officer The College Information Security Officer (CISO) will be designated in writing by the Vice President and Chief Information Officer (CIO). The CISO has primary responsibility for implementation of the College’s information security policy, practices and processes. The CISO shall report to the Vice President for Information Technology and Chief Information Officer. The responsibility of the CISO shall include: 1. Staying abreast of federal and state legislation and its impact on security policy and planning; 2. Monitoring security activities and best practices at institutions of higher education; 3. Implementing and auditing College-wide information security practices as established by the Information Security Steering Committee; 4. Advising the Executive Vice President and CIO on requests for implementation of information resources that deviate from approved College information security practice or policy; 5. Disconnecting, blocking or removing from the Marist College network any information resource that violates this policy, state or federal law or regulation, other polices of Marist College; 6. Investigating all actual or potential information security incidents or violations of this policy and providing reports to the Executive Vice President and the CIO, as well as, to other Vice Presidents or unit heads as is appropriate to the incident; 5 of 16 Information Security Policy 7. Coordinating information security activities of Marist College with appropriate state or federal agencies as required by law; 8. Serving as the College’s point of contact for any alleged copyright or intellectual property infringements; 9. Serving as or supporting existing College compliance officers for federal information security and privacy mandates; 10. Taking necessary and immediate action to prevent damage to the College’s information resources in the event of an emergency (e.g., blocking ports on a border router to prevent the spread of viruses); 11. Developing a College-wide information security education program that includes: a) Working with the Office of Human Resources to develop information security training and education for all Marist College employees, b) Working with ResNet, the Student Affairs Office and School of Computer Science and Math to develop information security training and education for all Marist College students, c) Informing the Information Security Policy Steering Committee and the College community of security issues and safeguards, d) Maintaining the College’s Information Security Web site, e) Providing information for the CIO to inform the Cabinet, Deans, Trustees and others of security issues and safeguards; 12. The CISO with the advice and consent of the Executive Vice President and CIO may permit deviations from this policy if such deviations are required for the smooth operation of the College. IT Security Procedures and Practices Working Group The IT Security Procedures and Practice Working group is a cross-functional team within IT chaired by the College Information Security Officer with the following responsibilities: a) Establishes standards, procedures and guidelines to implement policies set by the Information Security Policy Steering Committee, including appointment and oversight of Marist IT internal auditors to ensure compliance with policies and standards; b) Advises the Information Security Policy Steering Committee on existing and proposed new policies; c) Proposes policy changes to the Steering Committee; d) Provides the Marist community with education on security issues and practices; e) Establishes and monitors the work of the Security Incident Response Team; f) Manages the Central Security System. The membership list for this group is shown in Appendix B. 6 of 16 Information Security Policy Stewards Stewards are senior supervisory personnel who work within a specific department who have primary responsibility for particular information. A steward will be appointed for all information covered under this policy. Stewards will be designated in writing by the Vice President in charge of the department responsible for the maintenance of the information in question. In addition, faculty are the stewards of their research and course materials; students are the stewards of their work. Stewards determine who is authorized to access Marist College information resources under their management. They shall make sure that those with access have a need to know the information and know the security requirements for that information. Information may be disclosed only if disclosure is consistent with law, regulations and College policies, including those covering privacy. Except under unusual and specifically recognized circumstances, access shall be granted to individuals in such manner as to provide individual accountability. Stewards shall keep records documenting the creation, distribution, and disposal of College information. Stewards shall report suspected or known compromises of their information to the CISO at the following e-mail address: security@marist.edu. Incidents will be treated as confidential unless there is a need to release specific information. Stewards must: a) Identify the electronic information resources within areas under their control; b) Ensure adequate backups (for data not stored on central IT resources) and other safeguards for all information under their purview; c) Ensure all data under their purview is maintained in a manner that will provide up-to-date and accurate information for the College; d) Define the purpose and function of the resources and ensure that the necessary education and documentation are provided to the campus as needed; e) Establish acceptable levels of security risk for resources by assessing factors such as: • • • • Legal or intellectual property requirements, Criticality of information for College operation, research projects or other essential activities, Likelihood for misuse of information resources, Technology programmatic, cost or staff limitations; f) Ensure that required security measures are implemented for the information resources under the steward’s purview. 7 of 16 Information Security Policy IT Internal Auditor Internal auditors are designated IT staff with cross-functional responsibilities. They must: a) Oversee the enforcement of the Information Security Policy; b) Identify information security risks and report them to the Information Technology Policy and Practices Working Group; c) Identify Information Security Policy violations and report them immediately to the CISO; d) Audit Information Technology operations, policies and practices to ensure conformance with this policy. In accordance with College audit procedures, the Internal Auditors will conduct audits of the College's information security procedures and practices, including privacy and confidentiality procedures in individual offices on a regular, periodic basis. Internal auditors cannot supervise or work within the area for which the auditor has responsibility. Managers Managers are members of the College community who have management or supervisory responsibility, including deans, department chairs, directors, department heads, group leaders, supervisors, etc. Faculty who supervise teaching and research assistants are included. Managers shall provide an environment that promotes security. They shall make sure their staff has the training and tools needed to protect information. Managers must: a) Make sure their people have the access authorizations needed to perform their jobs. The authorizations themselves are acquired from the Stewards of the information resources; b) Ensure that employees, including student employees, lose access when their employment is terminated or job responsibilities change; c) Administer and retain confidentiality statements for the people they manage or supervise if confidentiality statements are required by the steward(s) of the information. Users Users are individuals who access and use campus electronic information resources. Without exception, all members of the College community are "Users" of Marist's information resources. Users must: a) 8 of 16 Become knowledgeable about relevant security requirements and guidelines; Information Security Policy b) Protect the information resources they have access to or control, such as access passwords, computers, and data; Adhere to all College information security policies and procedures; Use Marist information resources in an ethical manner consistent with College’s mission. c) d) The CISO, with the advice and consent of the IT Security Policy and Practice Working Group and the Information Security Policy Steering Committee, shall publish and enforce guidelines for users relating to physical security, logical security, passwords, software and patches, data backup, viruses, remote access and other topics critical to the information security posture of Marist College. Information Classification Data and information that are owned by Marist College must be protected to ensure the rights of Marist College, its students, faculty and staff are safeguarded. These safeguards are required, in some cases, by law, in some cases by College policy, and in some cases by high ethical standards. Appendix C contains the Marist College information classifications. The Information Policy Steering Committee is responsible for monitoring and maintaining these classifications. Policy Violations It is a violation of this policy to: 1. Interfere with the normal operation of any Marist College information resource; 2. Use Marist College information resources to interfere with the normal operation of information resources outside of Marist College; 3. Use Marist College information resources to: a) Violate local, state, federal or international law, b) Cause, encourage or facilitate others in violating local, state, federal or international law; 4. Access or cause another to access any information resource without permission of the CISO or appropriate steward. The CISO will work with the stewards to develop a consistent, documented process for granting access to information resources. Permission is given generally to access publicly accessible Web pages; 5. Access or cause another to access intellectual property, copyright protected property or other legally protected property without permission from the property’s owner; 6. Release information resources without the approval of the appropriate office of Marist College; 7. Use any information resource to violate any policy of Marist College; 8. Use any information resource to violate the security policy, acceptable use policy or other operational policies of organizations or institutions outside of Marist College; 9 of 16 Information Security Policy 9. To promulgate software, data files or other materials that can be reasonably considered a viruses, Trojans or other “malware;” 10. To use information resources to take part in, encourage or foster the development, exploitation or use of software, data files or other materials that can be reasonably considered viruses, Trojans or other ”malware;” 11. Scan any information resource of Marist College without written approval of the CISO; 12. Capture or monitor network transmissions, telecommunications transmissions, or any information resources without written approval of the CISO or, in the case of data, written permission of the appropriate steward; 13. Share userids, passwords, identity cards or other means of access to information resources. Exceptions to this may be requested of the CISO but will not generally be granted unless significant resource or operational inefficiency would occur by not granting an exception; 14. Connect or disconnect any device to an information resource without written permission of the CISO. General exceptions are given to Information Technology staff who, as part of their normally assigned duties, continually connect and disconnect equipment from information resources. In addition, a general exception is given to connect storage devices to Marist Information resources if: a) The person connecting the device is authorized to use the information resource they are connecting too, b) The device does not interfere with the normal operation of information resource, c) Connecting this device does not otherwise violate this policy; 15. Install or connect to any Marist College information resource any telecommunications equipment or networking equipment without the written permission of the CISO. General exceptions are given to Information Technology staff who, as part of their normally assigned duties, install or connect telecommunications and networking equipment. Rights Reserved to Marist College Marist College reserves the rights to: 1. Examine or monitor any information resource including, but not limited to, equipment, software, computer files, information and data. It is not the policy of the College to routinely examine or monitor these resources. However, the College may choose to do so at any time. The following is a list of situations where the College may invoke this right. This is not intended as an exhaustive list. a) Required by legal authority, b) The information resource in question may be in violation of this or other policies of the College, c) The CISO with the coordination, advice and consent of the Executive Vice President and Chief Information Officer deems it necessary for the efficient and effective operation of the College’s information resources, d) The CISO is directed to do so by the College President, 10 of 16 Information Security Policy e) It is required for IT staff to perform repair or normal operation and maintenance activity. f) Reasons determined by the Information Security Steering Committee; 2. Remove or block access to any information resource at any time on Marist College or elsewhere should the resource: a) Be in violation of this or any other policies of the College, b) Interfere with the operation of information resources at Marist College or elsewhere, c) Be in violation of state or federal law or regulation, d) For other reasons as determined by the Information Security Steering Committee and approved by the Executive Vice President and the CIO; 3. Prohibit or inhibit any information resource that the CISO with the advice of the Information Security Steering Committee and the approval of the Executive Vice President and CIO determines is: a) In violation of this or any policy of the College, b) Interfering with the operation of Information Resources at Marist College or elsewhere, c) In violation of state or federal law, d) Not in keeping with the high ethical standards of Marist College; 4. Report to local, state or federal authorities’ information resource related activities that appear to violate the law or regulation. Reporting Violations All members of the Marist College community will report violations or suspected violations of this policy to the CISO at the following e-mail address: security@Marist.edu. Alternatively, violations or suspected violations may be reported to the Vice President and Chief Information Officer. Information Technology staff, who become aware of a potential or suspected violation of this policy through the normal course of their work, are required to inform the CISO of the event. The CISO with the advice and consent of the Executive Vice President and Chief Information Officer may, if appropriate, report violations of this policy to law enforcement. Policy Sanctions Anyone found to have violated this policy will be sanctioned using the processes found in existing Marist College policy and employment contracts where applicable. 11 of 16 Information Security Policy Sources In addition, the following non-Marist resources were either used in development of this policy or are good references for the Marist community following the procedures, standards and guidelines in this policy. The list is not part of the policy and the list may be amended as needed. “IT Security for Higher Education: A Legal Perspective” http://www.educause.edu/ir/library/pdf/csd2746.pdf “A National Strategy To Secure Cyberspace Questions To Be Addressed” http://www.gcn.com/cybersecurity/breakout3pgs.pdf “A National Strategy To Secure Cyberspace” http://www.whitehouse.gov/pcipb/ “Collaborations on Internet Security (CIS) Final Report” http://www.itrd.gov/fnc/fnc-pswc.pdf RFC2196 – (FYI8) “Site Security Handbook” ftp://ftp.rfc-editor.org/in-notes/rfc2196.txt RFC3127 – “Authentication, Authorization, and Accounting: Protocol Evaluation” http://www.rfc-editor.org/rfc/rfc3127.txt The SANS Security Policy Project http://www.sans.org/resources/policies/ “The Information Security Forum’s Standard of Good Practice” http://www.isfsecuritystandard.com/ “OECD Guidelines for the Security of Information Systems and Networks” http://www.oecd.org/pdf/M00033000/M00033182.pdf Open Web Application Security Project ISO17799 Newsletter http://www.owasp.org/ http://www.iso17799-web.com/ “Why Security Policies Fail” – Control Data http://downloads.securityfocus.com/library/Why_Security_Policies_Fail.pdf Educause/Internet2 Computer and Network Security Task Force http://www.educause.edu/security/ “Identifiers, Authentication, and Directories: Best Practices for Higher Education” http://middleware.internet2.edu/internet2-mi-best-practices-00.html 12 of 16 Information Security Policy “Libraries Put Up Patriot Act Warnings, But Are They Overreacting?” – Orin Kerr http://volokh.blogspot.com/2003_03_09_volokh_archive.html#90481062 “Internet Surveillance Law After the USA Patriot Act: The Big Brother That Isn't” http://papers.ssrn.com/sol3/papers.cfm?abstract_id=317501 Other higher educational institutions used as reference: • • • • • University of Florida http://www.it.ufl.edu/policies/security Georgetown University http://www.Georgetown.edu/uis/security/policies.html University of Toronto http://www.utoronto.ca/security/policies.html University of California at Berkeley http://Socrates.Berkeley.edu:2002/pols.html Penn State http://guru.psu.edu/policies/AD20.html Approval Process • • • Information Security Policy Steering Committee Technology Committee of Board of Trustees Board of Trustees Date Approved: Feb 2004 Date Approved: Nov 2004 Date Approved: Nov 2004 Review Cycle This policy will be reviewed and updated as needed, at least annually, based on the recommendations of the College Information Security Officer, Vice President of Information Technology/CIO and the Executive Vice President. Reviewed: May 2014 13 of 16 Information Security Policy Appendices In general the appendices are not part of this policy but are incorporate through reference in the policy. Committee members may be added or replaced as needed by the Chair Standards, as described, are maintained by the IT Security Procedures and Practices Working Group and are not part of this policy. Current copies of these Standards are available on the Information Security Web pages listed in the Additional Resources section of this document. A. Information Security Policy Steering Committee Members Director of Physical Plant Dean, School of Graduate and Continuing Education Vice President for Student Affairs Director of Library Services Director of Safety and Security Vice President of Information Technology/CIO Asst to the President for Technology & e-Commerce Initiatives Executive Vice President (Chair) Dean, Computer Science and Math Assistant Academic Vice President/Dean Academic Programs Director of Academic Technology and eLearning FAC Representative Faculty Member Director of Technology & College Information Security Officer SGA Representative IBM Lead Solutions Architect B. IT Security Procedures and Practices Working Group College Information Security Officer/Chair Associate Director Academic Technology Manager Administrative Computing Manager Help Desk Network Manager Systems Administrator -- MVS Systems Administrator– Open Systems Telecommunications Engineer Manager Client Technologies Security Analyst Director of Web Technologies Manager of Client Services 14 of 16 Information Security Policy C. Marist College Standard for Information Classification This Policy applies to all College information resources, including those used by the College under license or contract. "Information resources” include information in any form and recorded on any media, and all computer and communications equipment and software. All information covered by this Policy is assigned one of three classifications depending on the level of security required. In decreasing order of sensitivity, these classifications are Confidential, Internal use only, and Unrestricted. Information that is either Confidential or Internal use only is also considered to be Restricted. • Confidential information This classification covers sensitive information about individuals, including information identified in the Human Resources Manual, and sensitive information about the College. Information receiving this classification requires a high level of protection against unauthorized disclosure, modification, destruction, and use. Specific categories of confidential information include information about: o Current and former students (whose education records are protected under the Family Educational Rights and Privacy Act (FERPA) of 1974, including student academic, disciplinary, and financial records; and prospective students, including information submitted by student applicants to the College; o Library patrons, and donors and potential donors; o Current, former, and prospective employees, including employment, pay, benefits data, and other personnel information; o Research, including information related to a forthcoming or pending patent application, and information related to human subjects. Patent applications must be filed within one year of a public disclosure (i.e., an enabling publication or presentation, sale, or dissemination of product reduced to practice, etc.) to preserve United States patent rights. To preserve foreign patent rights, patent applications must be filed prior to public disclosure. Therefore, it is strongly recommended that prior to any public disclosure, an Invention Disclosure Form be submitted to the Office of Technology Transfer for evaluation of the technology and determination of whether to file a patent application, thereby preserving U.S. and foreign patent rights; o Certain College business operations, finances, legal matters, or other operations of a particularly sensitive nature; o Information security data, including passwords; o Information about security-related incidents. 15 of 16 Information Security Policy • Internal use only This classification covers information that requires protection against unauthorized disclosure, modification, destruction, and use, but the sensitivity of the information is less than that for Confidential information. Examples of Internal use only information are internal memos, correspondence, and other documents whose distribution is limited as intended by the Steward. • Unrestricted information This classification covers information that can be disclosed to any person inside or outside the College. Although security mechanisms are not needed to control disclosure and dissemination, they are still required to protect against unauthorized modification and destruction of information. • Default classification Information that is not classified explicitly is classified by default as follows: Information falling into one of the Confidentiality categories listed above is treated as Confidential. Other information is treated as Internal use only unless it is published (publicly displayed in any medium) by the Steward, in which case it is classified Unrestricted. 16 of 16